rhadamanthys | 8beb4fe88ebacd1846a7b9b153b61e61efcb153c9140c433b6907efda18e965a

Analysis

max time kernel
103s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
12/04/2025, 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-12_b8552b573a8f0fc48aad052856347280_elex_icedid.exe
Size

3.5MB
MD5

b8552b573a8f0fc48aad052856347280
SHA1

9a4239ffc7533672362b3d832e2ca0a578821a6a
SHA256

8beb4fe88ebacd1846a7b9b153b61e61efcb153c9140c433b6907efda18e965a
SHA512

94f1df49723b95a719c4830b27947352502470b7d8666654b98eff41335aaddd68faa94f3e27561a742d621bf0e7b276b6027038e4145b51081844d4a4de3f19
SSDEEP

49152:CHBVPVP2ym8r2JdVTWRh1/6/R1I9AihZZ7WEqnXrtRI93iS5TChmqrjNZE3gQxjN:ERAMBChm+jPE35ENoMcUPBjU

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Detects Rhadamanthys payload 1 IoCs

resource	yara_rule
behavioral1/memory/5340-1-0x0000000006EE0000-0x0000000007002000-memory.dmp	Rhadamanthys_v8

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5340 created 2516	5340	2025-04-12_b8552b573a8f0fc48aad052856347280_elex_icedid.exe	42

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-12_b8552b573a8f0fc48aad052856347280_elex_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5340	2025-04-12_b8552b573a8f0fc48aad052856347280_elex_icedid.exe
5340	2025-04-12_b8552b573a8f0fc48aad052856347280_elex_icedid.exe
5340	2025-04-12_b8552b573a8f0fc48aad052856347280_elex_icedid.exe
5340	2025-04-12_b8552b573a8f0fc48aad052856347280_elex_icedid.exe
4308	svchost.exe
4308	svchost.exe
4308	svchost.exe
4308	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 5340 wrote to memory of 4308	5340	2025-04-12_b8552b573a8f0fc48aad052856347280_elex_icedid.exe	89
PID 5340 wrote to memory of 4308	5340	2025-04-12_b8552b573a8f0fc48aad052856347280_elex_icedid.exe	89
PID 5340 wrote to memory of 4308	5340	2025-04-12_b8552b573a8f0fc48aad052856347280_elex_icedid.exe	89
PID 5340 wrote to memory of 4308	5340	2025-04-12_b8552b573a8f0fc48aad052856347280_elex_icedid.exe	89
PID 5340 wrote to memory of 4308	5340	2025-04-12_b8552b573a8f0fc48aad052856347280_elex_icedid.exe	89

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2516
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4308

C:\Users\Admin\AppData\Local\Temp\2025-04-12_b8552b573a8f0fc48aad052856347280_elex_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-12_b8552b573a8f0fc48aad052856347280_elex_icedid.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5340

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4308-11-0x0000000000D70000-0x0000000000D7A000-memory.dmp

Filesize
40KB

Download
memory/4308-19-0x0000000001510000-0x0000000001910000-memory.dmp

Filesize
4.0MB

Download
memory/4308-18-0x0000000001510000-0x0000000001910000-memory.dmp

Filesize
4.0MB

Download
memory/4308-17-0x00000000759E0000-0x0000000075BF5000-memory.dmp

Filesize
2.1MB

Download
memory/4308-15-0x00007FF8C7B30000-0x00007FF8C7D25000-memory.dmp

Filesize
2.0MB

Download
memory/4308-14-0x0000000001510000-0x0000000001910000-memory.dmp

Filesize
4.0MB

Download
memory/5340-4-0x0000000007100000-0x0000000007500000-memory.dmp

Filesize
4.0MB

Download
memory/5340-8-0x0000000007100000-0x0000000007500000-memory.dmp

Filesize
4.0MB

Download
memory/5340-7-0x00007FF8C7B30000-0x00007FF8C7D25000-memory.dmp

Filesize
2.0MB

Download
memory/5340-10-0x00000000759E0000-0x0000000075BF5000-memory.dmp

Filesize
2.1MB

Download
memory/5340-6-0x0000000007100000-0x0000000007500000-memory.dmp

Filesize
4.0MB

Download
memory/5340-5-0x0000000007100000-0x0000000007500000-memory.dmp

Filesize
4.0MB

Download
memory/5340-0-0x0000000004480000-0x000000000459D000-memory.dmp

Filesize
1.1MB

Download
memory/5340-3-0x0000000004840000-0x0000000004850000-memory.dmp

Filesize
64KB

Download
memory/5340-2-0x0000000004720000-0x0000000004728000-memory.dmp

Filesize
32KB

Download
memory/5340-1-0x0000000006EE0000-0x0000000007002000-memory.dmp

Filesize
1.1MB

Download
memory/5340-20-0x0000000004480000-0x000000000459D000-memory.dmp

Filesize
1.1MB

Download
memory/5340-21-0x0000000004840000-0x0000000004850000-memory.dmp

Filesize
64KB

Download
memory/5340-22-0x0000000007100000-0x0000000007500000-memory.dmp

Filesize
4.0MB

Download